Upload
argyle-executive-forum
View
385
Download
1
Tags:
Embed Size (px)
Citation preview
#*%! my CISO Says
Barry Caplin Chief Information Security Official
Fairview Health Services
Argyle CISO Summit Wed. Nov. 19, 2014 [email protected] [email protected] @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com
Barry Caplin Chief Information Security Official
Fairview Health Services
tuff
Argyle CISO Summit Wed. Nov. 19, 2014 [email protected] [email protected] @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com
And how do we get their attention and support?
Nobody cares about Security… The Challenge of Security Awareness
Why?
• Security viewed as a negative • Avoidance v. “risk”
– Delays – Cost – Extra work – “Gotchas”
Issues
Policy Policies are based on solid principles, but adapted to fit the organization.
“Fate, it seems, is not without a sense of irony.”
Compliance We write the policies. We make people sign an oath. Done.
“So there is a point you will not go beyond.”
Bad CISO
Compliance We must make (understandable) policies. We must teach. We must assess, measure and report.
“It's like a finger pointing away to the moon...”
Awareness Users will know what they have to do or be eliminated. Bad CISO
“The successful criminal brain is always superior. It has to be.”
Senior Management I say what they want to hear. They’re not listening anyway.
Bad CISO
“Why make a trillion when we could make... billions?”
Senior Management Give them the info they need and they will be an engaged partner.
“Smashing Baby!”
Bad CISO
“Your lack of faith is disturbing”
Business Needs I buy the best known security products because they’ve got to be good.
“The Force is strong with this one.”
Business Need Working together we find control- and cost-effective security products that work and are usable.
Stuff I Say…
No one has “read and understood” • but definitely still responsible • Simple, direct language in policy • Compliance via education
Stuff I Say…
You pay by the word • Keep policies short and sweet • If not, you’ll pay on the compliance-effort side
Stuff I Say…
People want to do the right thing • but what is the right thing? • Understandable policy • Simple rules
Stuff I Say…
Do What Makes Sense • Risk Management approach • Seek out and destroy meaningless policy/controls/practices